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new Case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 
O) Yes 
No 
©) Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


Around the security of information provided to an individual, it states that you should not expect an 
individual to download software in order to access the information sent, however in my experience in 
order to encrypt data sent to an individual, in some circumstances, they may not have the necessary 
software in order to unencrypt the contents, so need to download additional software. Without this some 
companies struggle knowing how to send the data securely, without an expectation for customers to 
download the software to unexcrypt. This could lead to companies sending information in an insecure 
manner to allow relevant access by the recipient. Guidance on sending securely and some examples of 
the sorts of provisions companies should use would therefore help companies understand how to share 
securely and leave no ambiguity. | have also seen instances whereby context of data is enough for an 
individual to work who that data originated from (particularly if an opinion on that individual). Therefore 
although that opinion belongs to the person who submitted the SAR, the outcome is that the individual is 
able to identify who the opinion originally came from based on the context which could lead to risk to that 
3rd partys well being. | appreciate there are exemptions regarding functions designed to protect the 
public, but guidance on risks to 3rd parties (particularly in the above circumstances) would be good. 


Q3 


Does the draft guidance contain enough examples? 


Yes 


© No 
©) Unsure / don't know 

If no or unsure/don’t know, please provide any examples that think should be included in 

the draft guidance. 

the Da part, but an example for extra clarity around a SAR being sent to a Processor would be good 
page 5). 


Q4 


Q5 


We have found that data protection professionals often struggle with applying and defining ‘manifestly 
unfounded or excessive’ subject access requests. We would like to include a wide range of examples 


from a variety of sectors to help you. Please provide some examples of manifestly unfounded and 
excessive 


requests below (if applicable). 


Main thing that I see are ex-employees who are fired or leave an organisation on bad terms. The 
individual then puts in a SAR and although they have not explicity stated that they intend to cause 
disruption, it is quite clear in some cases that is the reason for the SAR. Or that they are just fishing 
for anything that could lead to a compensation claim. An example in relation to this scenario would be 
good, as to whether or not a company could make their own determinations that the request is 
manifestely unfounded, or if this is never ok as it is not explicitly stated. This occurs a lot. 


On a scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-Slightly Moderately 4-—Very 5-Extremely 
useful useful useful useful useful 


r b’ ( ) ( 5 ©) ( ` 


Q6 Why have you given this score? 


The guidance is very useful, but is such a broad topic, that it is extremely difficult to 
cover everything, as a lot of it is case by case scenarios. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


Are you answering as: 

( D An individual acting in a private capacity (eg someone providing their views as a member of the public) 
C) An individual acting in a professional capacity 

© On behalf of an organisation 

() Other 

Please specify the name of your organisation: 

Beacon Consultant Services 
What sector are you from: 

Business Consultancy 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(|) ICO Facebook account 
©) ICO LinkedIn account 
© ICO website 
©) ICO newsletter 
C) ICO staff member 
C) Colleague 
©) Personal/work Twitter account 
(`) Personal/work Facebook account 
() Personal/work LinkedIn account 
O Other 
If other please specify: 


